In recent years, authors of malicious software (“malware”) have attempted to proliferate malware by generating thousands or potentially millions of variations of a malicious program or file. For example, a malware author may create a unique variant of a malicious file for each intended target by repacking, compressing, encrypting, and/or otherwise obfuscating the file before distributing (or redistributing) the same. Unfortunately, because many existing antivirus technologies detect malware by detecting or identifying unique digital signatures or fingerprints associated with known-malicious files, malware authors may avoid detection by such technologies by only distributing new (i.e., unique) variants of their malicious files.
In an attempt to combat this problem, at least one security-software vendor has attempted to implement a reputation-based security system. In a reputation-based security system, a security-software vendor may attempt to determine the trustworthiness of a file by collecting, aggregating, and analyzing data from potentially millions of user devices within a community, such as the security-software vendor's user base. For example, by determining a file's origin, age, and prevalence within the community (such as whether the file is predominantly found on at-risk or “unhealthy” machines within the vendor's user base), among other details, a security-software vendor may gain a fairly accurate understanding as to the trustworthiness of the file.
Current reputation-based security systems often face tradeoffs between the number of false negatives (i.e., how many malicious files are missed) and the number of false positives (i.e., how many benign files are misidentified as malicious). As such, the instant disclosure identifies a need for additional and improved systems and methods for identifying potential malware using reputation information.